Published online by Cambridge University Press: 07 May 2021
Abstract: Despite the federal Department of Health and Human Services’ provision of considerable guidance and technical assistance to covered entities and business associates regarding their responsibilities under the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA), little is known about the extent of compliance across the healthcare industry as well as reasons for noncompliance. This chapter reviews academic, industry, and government studies assessing HIPAA compliance and presents relevant insights. These insights relate to the extent to which small numbers of covered entities comply with the HIPAA Privacy Rule’s plain language requirement, the HIPAA Privacy Rule’s access to protected health information requirement, the HIPAA Security Rule’s addressable encryption standard, and the HIPAA Security Rule’s audit logs and access reports requirement. Additional insights relate to the extent to which covered hospitals and health systems believe that they are complying with the HIPAA Privacy and Security Rules, the impact of HITECH on data breaches involving business associates, the organizational strategies and institutional environments that influence compliance, and the extent to which institutional pressures and internal security needs assessments influence investment in security compliance.